Overview
This week we look at security updates for Unbound, OpenSSL, Flask, FreeRDP,
Django and more, plus Joe and Alex discuss the Octopus malware infecting
Netbeans projects.
This week in Ubuntu Security Updates
40 unique CVEs addressed
[USN-4374-1] Unbound vulnerabilities
- 2 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- NXNS attack (Episode 75) (form of DNS reflection attack)
- Infinite loop when processing malformed answers from upstream servers ->
CPU DoS
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- DoS via upload of files with very long names -> memory allocation
failure, stop process, fail to cleanup temp file on disk -> disk space
DoS
[USN-4376-1] OpenSSL vulnerabilities
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10)
- Timing side-channel attack against ECDSA signatures -> recover private
keys
- RNG state shared between parent and child process across fork()
- Vulnerable to padding oracle attack -> decrypt traffic
[USN-4360-4] json-c vulnerability
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Episode 75 -> update, regression, update without fix -> now properly
fixed vuln without regression
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
- Episode 75 (ar archive handling)
[USN-4367-2] Linux kernel regression
- 3 CVEs addressed in Focal (20.04 LTS)
- 5.4 kernel (Episode 75)
- overlayfs regression - caused by adding some changes for shiftfs to
special-case overlayfs - BUT in-fact was already present in overlayfs and
this just manifested it - so for now revert the shiftfs related changes
until is fixed properly in overlayfs itself
[USN-4369-2] Linux kernel regression
- Affecting Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- “AddTrust Exteral Root CA” certificate had expired - curl and other
applications would fail to connect if they found a certificate chain
which validated via this cert (even if other paths in the chain would be
valid) - removing this cert is the easiest way to fix the issue.
- Updated the certs for 16.04 & 18.04 LTS as well
[USN-4378-1] Flask vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
- DoS via memory exhaustion on crafted inputs
[USN-4379-1] FreeRDP vulnerabilities
- 19 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Various issues including, OOB write for RSA crypto handling, OOB read on
font handling, info disclosure via ability to read client memory as color
info, etc.
[USN-4380-1] Apache Ant vulnerability
- 1 CVEs addressed in Eoan (19.10)
- Info leak to / malicious code exec from a local user due to the use of
system-wide /tmp for several tasks (Mike Salvatore)
[USN-4381-1] Django vulnerabilities
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- XSS via the admin ForeignKeyRawIdWidget due to failure to properly
encoded query parameters
- Failure to properly validate memcached cache keys - could allow a remote
attacker to DoS / info leak
Goings on in Ubuntu Security Community
Alex and Joe discuss Github report on Octopus malware targetting Netbeans projects
Get in contact